Malware Analysis Report

2025-05-06 00:17

Sample ID 250418-pp6dlavqz9
Target tmpxtllxmbq
SHA256 1fcaf14c2bf8df5d8fa0e8efcf728ba06f2d1fb7ef213d00d7b763031ff9a536
Tags
latentbot xworm rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1fcaf14c2bf8df5d8fa0e8efcf728ba06f2d1fb7ef213d00d7b763031ff9a536

Threat Level: Known bad

The file tmpxtllxmbq was found to be: Known bad.

Malicious Activity Summary

latentbot xworm rat trojan

Xworm

Xworm family

Detect Xworm Payload

LatentBot

Latentbot family

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-04-18 12:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-04-18 12:31

Reported

2025-04-18 12:33

Platform

win10v2004-20250410-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmpxtllxmbq.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

LatentBot

trojan latentbot

Latentbot family

latentbot

Xworm

trojan rat xworm

Xworm family

xworm

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpxtllxmbq.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tmpxtllxmbq.exe

"C:\Users\Admin\AppData\Local\Temp\tmpxtllxmbq.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 cryptoghost.zapto.org udp
FR 176.143.53.10:2000 cryptoghost.zapto.org tcp
US 8.8.8.8:53 abolhb.com udp
DE 176.97.210.4:505 abolhb.com tcp
DE 176.97.210.4:505 abolhb.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp
DE 176.97.210.4:505 abolhb.com tcp
US 8.8.8.8:53 c.pki.goog udp
NL 173.194.69.94:80 c.pki.goog tcp
DE 176.97.210.4:505 abolhb.com tcp
DE 176.97.210.4:505 abolhb.com tcp
DE 176.97.210.4:505 abolhb.com tcp
DE 176.97.210.4:505 abolhb.com tcp

Files

memory/544-0-0x00007FF946673000-0x00007FF946675000-memory.dmp

memory/544-1-0x00000000007A0000-0x00000000008FC000-memory.dmp

memory/544-2-0x00007FF946670000-0x00007FF947131000-memory.dmp

memory/544-3-0x0000000001110000-0x0000000001122000-memory.dmp

memory/544-4-0x00007FF946673000-0x00007FF946675000-memory.dmp

memory/544-5-0x00007FF946670000-0x00007FF947131000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-04-18 12:31

Reported

2025-04-18 12:33

Platform

win11-20250410-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmpxtllxmbq.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

LatentBot

trojan latentbot

Latentbot family

latentbot

Xworm

trojan rat xworm

Xworm family

xworm

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpxtllxmbq.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tmpxtllxmbq.exe

"C:\Users\Admin\AppData\Local\Temp\tmpxtllxmbq.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
FR 176.143.53.10:2000 cryptoghost.zapto.org tcp
DE 176.97.210.4:505 abolhb.com tcp
DE 176.97.210.4:505 abolhb.com tcp
DE 176.97.210.4:505 abolhb.com tcp
DE 176.97.210.4:505 abolhb.com tcp
DE 176.97.210.4:505 abolhb.com tcp
DE 176.97.210.4:505 abolhb.com tcp
DE 176.97.210.4:505 abolhb.com tcp

Files

memory/5932-0-0x00007FFC844F3000-0x00007FFC844F5000-memory.dmp

memory/5932-1-0x0000000000870000-0x00000000009CC000-memory.dmp

memory/5932-2-0x00007FFC844F0000-0x00007FFC84FB2000-memory.dmp

memory/5932-3-0x000000001B780000-0x000000001B792000-memory.dmp

memory/5932-4-0x00007FFC844F3000-0x00007FFC844F5000-memory.dmp

memory/5932-5-0x00007FFC844F0000-0x00007FFC84FB2000-memory.dmp

memory/5932-6-0x00000000010A0000-0x00000000010A8000-memory.dmp